For encrypted migration of VMs, QEMU provides the TLS-PSK authentication apart from TLS certificates. This mechanism relies on pre-shared keys (a secret key that is known to both sender and receiver prior to secure communication) for providing secure transfer of data. Libvirt handles the lifecycle of pre-shared keys, managing their generation, persistent storage, and cleanup. Add the "migrate_tls_psk_length" configuration attribute to qemu.conf to allow users to define the size of the pre-shared key. Signed-off-by: Abhisek Panda <abhisek.panda1@nutanix.com> --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf.in | 8 ++++++++ src/qemu/qemu_conf.c | 10 ++++++++++ src/qemu/qemu_conf.h | 1 + src/qemu/test_libvirtd_qemu.aug.in | 1 + 5 files changed, 21 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 311992e441..d58f995282 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -68,6 +68,7 @@ module Libvirtd_qemu = | str_entry "migrate_tls_x509_secret_uuid" | str_entry "migrate_tls_priority" | bool_entry "migrate_tls_force" + | int_entry "migrate_tls_psk_length" let backup_entry = str_entry "backup_tls_x509_cert_dir" | bool_entry "backup_tls_x509_verify" diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 97b0141cf6..7f36bd1a68 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -437,6 +437,14 @@ #migrate_tls_force = 0 +# The TLS-PSK authentication relies on pre-shared keys for providing secure transfer of data. +# When TLS-PSK is enabled for the migration operation, Libvirt manages the lifecycle of the +# pre-shared key files. For the key generation process, users can specify the pre-shared +# key size in bytes. The default value is set to 32 bytes. +# +#migrate_tls_psk_length = 32 + + # In order to override the default TLS certificate location for backup NBD # server certificates, supply a valid path to the certificate directory. If the # provided path does not exist, libvirtd will fail to start. If the path is diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index e30b146634..d6abb82fed 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -77,6 +77,8 @@ VIR_LOG_INIT("qemu.qemu_conf"); #define QEMU_BACKUP_PORT_MIN 10809 #define QEMU_BACKUP_PORT_MAX 10872 +#define QEMU_MIGRATE_TLS_PSK_LENGTH 32 + VIR_ENUM_IMPL(virQEMUSchedCore, QEMU_SCHED_CORE_LAST, "none", @@ -616,6 +618,10 @@ virQEMUDriverConfigLoadSpecificTLSEntry(virQEMUDriverConfig *cfg, #undef GET_CONFIG_TLS_CERTINFO_COMMON #undef GET_CONFIG_TLS_CERTINFO_SERVER + + if (virConfGetValueUInt(conf, "migrate_tls_psk_length", &cfg->migrateTLSPSKLength) < 0) + return -1; + return 0; } @@ -1594,6 +1600,10 @@ virQEMUDriverConfigSetDefaults(virQEMUDriverConfig *cfg) #undef SET_TLS_VERIFY_DEFAULT + if (cfg->migrateTLSPSKLength == 0) { + cfg->migrateTLSPSKLength = QEMU_MIGRATE_TLS_PSK_LENGTH; + } + return 0; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 1d29f35c5d..c18aedf59c 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -170,6 +170,7 @@ struct _virQEMUDriverConfig { char *migrateTLSx509secretUUID; char *migrateTLSpriority; bool migrateTLSForce; + unsigned int migrateTLSPSKLength; char *backupTLSx509certdir; bool backupTLSx509verify; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index c4cf9cf634..7e337825fd 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -45,6 +45,7 @@ module Test_libvirtd_qemu = { "migrate_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } { "migrate_tls_priority" = "@SYSTEM" } { "migrate_tls_force" = "0" } +{ "migrate_tls_psk_length" = "32" } { "backup_tls_x509_cert_dir" = "/etc/pki/libvirt-backup" } { "backup_tls_x509_verify" = "1" } { "backup_tls_x509_secret_uuid" = "00000000-0000-0000-0000-000000000000" } -- 2.43.7